ORRS 2011 (Text)REVISED: 12 JULY 2012
Thomas Mueller (Deutsche Bank)
Prepared by: Mark Laycock
Copyright & Disclaimer Notice
All rights in this document are owned and controlled by ORX. ORX
permits it to
be used internally by Members, but not transmitted publicly in
whole or in
part.
ORX has prepared this document with care and attention. ORX does
not accept
responsibility for any errors or omissions. ORX does not warrant
the accuracy
of the comments, statement or recommendations in this document. ORX
shall
not be liable for any loss, expense, damage or claim arising from
this
document.
The content of this document does not itself constitute a
contractual
agreement, ORX accepts no obligation associated with this document
except as
expressly agreed in writing.
Operational Risk Reporting Standards
Page 2 of 60
This document makes use of Hyperlinks for ease of navigation.
Hyperlinks can be activated using Ctrl+Click with the keyboard and
mouse, the cursor may change
shape, for example to . The Table of Contents also contains
Hyperlinks.
If ORX Members have queries on the text or would like to raise
issues for concern
then they should Email Mark Laycock of the ORX Secretariat,
(
[email protected]) with a description of the issue.
Contact Information
Contact address: c/o Balmer Etienne AG
Dreikonigstrasse 34
CH-8002 Zurich
20 July 3.4.1 Requirement for Credit Risk-Operational Risk
Boundary
28 September 3.2.3 Legal Events
9 December Board ratifies DWG Recommendations
10 May 2012 3.2.4
Uncollected Revenues – added example, deleted example
15 June 1.5
27 June 3.2.3 Legal Costs Decision Tree
TABLE OF CONTENTS
Page 3 of 60
1.2 Document Structure
...........................................................................
6
1.4 Governance of ORRS
........................................................................
7
2. Data Quality Governance 8
2.1 Introduction
........................................................................................
8
3. What to Report – Definitions & Boundaries 10
3.1 Operational Risk
..............................................................................
10 3.1.1 Operational Risk 10 3.1.2 Legal Risk 11
3.2 Operational Risk Event
....................................................................
11 3.2.1 Grouped Losses (vs Single Events) 12 3.2.2 Linked Events
13 3.2.3 Legal Events 15 3.2.4 Tax Events 18
3.3 Operational Risk Loss
......................................................................
18 3.3.1 Lifecycle of an Operational Risk Loss 19 3.3.2 Timing
Losses 19 3.3.3 Pending Losses 20
3.4 Boundary between Operational and Other Risks
.............................. 21 3.4.1 Credit Risk 21 3.4.2 Market
Risk 23 3.4.3 Strategic Risk 25 3.4.4 Project Risk 26 3.4.5
Business Risk 26 3.4.6 Reputational Risk 27 3.4.7 Liquidity Risk
27
4. Determine the Operational Risk Loss Amount – Quantification
28
4.1 General Principles
............................................................................
28 4.1.1 Gross Loss 28 4.1.2 Recoveries 29
4.2 Special Cases
..................................................................................
30 4.2.1 Rapid Recoveries 30 4.2.2 Revenue ADjustment 31 4.2.3
Uncollected Revenue 31 4.2.4 Fixed Assets, Investment Assets, and
Intangibles 33 4.2.5 Provisions & Reserves 34 4.2.6 Regulatory
Action – Fines and/or Penalties 34
4.3 FX Conversion Rates
.......................................................................
35
Operational Risk Reporting Standards 2011 12 July 2012
Page 4 of 60
5. How to Categorise Operational Risk Losses 36
5.1 Business Lines
.................................................................................
36 5.1.1 Corporate Items 36 5.1.2 Events Affecting Multiple
Business Lines 37 5.1.3 Materiality 38
5.2 Event Types
.....................................................................................
41
5.4 Process Types
.................................................................................
47
5.6 Country Codes
.................................................................................
52
6.1 Gross Income
...................................................................................
54
7. Technical issues: Threshold, History, Coverage, etc 56
7.1 Reporting Gross Loss Threshold
...................................................... 56
7.2 Time Period
......................................................................................
56
7.3 Consolidated Reporting
....................................................................
57
7.5 Submitting Historical Data
................................................................
58
7.6 Effects of Acquiring or Disposing of Business Units
......................... 58
7.7 Submitting Losses for a New Business Line
..................................... 59
7.8 Stopping Reporting for an Existing Business Line
............................ 59
7.9 Mergers between Members
..............................................................
59
7.10 Leaving ORX
....................................................................................
59
Page 5 of 60
1.1 OBJECTIVES OF THIS DOCUMENT
This document describes the standards for reporting Operational
Risk losses for
consolidation and analysis in the ORX global database by Members of
ORX.
These standards may serve as a useful reference for Non-ORX firms
for
categorising Operational Risk losses; as such the standards are
provided and
published as an industry resource.
This document contains a number of definitions and principles to
promote the
consistency of reporting and data categorisation. The Definitions
Working Group
(DWG) has found it useful to refer to these definitions and
principles when
discussing issues around categorisation and various boundaries, in
particular
between Operational and Other Risks.
This 2011 edition of the Operational Risk Reporting Standards
(ORRS) supersedes
and replaces the current version from 2007. The main changes since
the 2007
edition have been the addition of categories for Products,
Processes and additional
attributes for Large Losses.
ORX Members are free to adopt varying definitions and methodologies
for internal
loss recording and reporting. However, each Member is required to
make
submissions to the ORX global database following the uniform
standards and
definitions set out below.
These standards relate to the ORX global database of Operational
Risk losses. A
number of Sector Databases have been, or are in the process of
being established
by ORX. These Sector Databases may have particular emphasis on
geography or
business activity, for example Canada and Investment Banking. The
standards for
these Sector Databases may deviate in some way from the standards
for the global
database. The relationship between the Global and Sector databases
is more
completely described in Section 1.3 page 6.
Data submission to the ORX global database is made on a quarterly
basis. Each
time there is a data reporting cycle, Members will produce and send
their data
since inception (January 2002 for founding Members). Members are
expected to
report their full loss data history. See Section 7.4 “Exceptions to
Complete
Reporting” for further reference
ORX is aware that all Members are constantly refining their
internal processes for
capturing Operational Risk losses/events. As a consequence of this
constant
refinement, Members are allowed to modify and/or update their
previously reported
records.
Page 6 of 60
A number of aspects around the ORX global database promote
anonymity of the
individual members. In some instances these aspects relate to the
delivery of
historic data by new Members, in other instances it affects the
granularity of the
reports back to Members. For example, Members provide country level
data, but
receive back regional level information. Anonymity and
confidentiality around the
ORX databases and data are important and are reflected in the
Articles of
Association of ORX.
1.2 DOCUMENT STRUCTURE
The document has been restructured, in comparison to earlier
editions, to promote
clarity and ease of finding details.
Each topic begins with a Principle / Definition section. This is
then followed by the
reporting Requirement and Examples. The final parts of the
individual topic relate
to Cross-References and ORRS Updates. The examples may be
sub-divided into
examples of Inclusions and examples of Exclusions.
Details of all categories can be found in an Appendix, which has
been moved into a
separate document. These detailed descriptions may include
additional examples
as well as notes.
This document is primarily concerned with the Operational Risk
Reporting
Standards that apply to the Global Database. As one of the
strategic initiative for
ORX is the development of Sector Databases it is important that the
relationship
between these Operational Risk Reporting Standards and the Sector
Databases is
clearly understood and appreciated.
Sector Databases may address a variety of interests, for example
geographic or
activity. An example of a Geographic Sector Database is the
Canadian database.
An example of an Activity Sector Database is Investment
Banking.
Where the Sector Databases primarily have banks as Members and the
focus is
upon loss data then it is efficient for these Sector Databases to
follow the standards
for the Global Database. The efficiency is in terms of Standards
and supporting
system infrastructure. This implies that where the standards for
the Global
Database change then these changes will be reflected in the Sector
Database.
Where the Members of the Sector Database agree to deviate from the
standards
for the Global Database they can do so. For example a Geographic
Sector
Database may decide to have a lower reporting threshold. An
Activity Sector
Database may decide to have additional exposure indicators and
additional levels
of granularity in Business Lines or Event Types.
Operational Risk Reporting Standards 2011 12 July 2012
Page 7 of 60
Where the Sector Database does not have banks as Members, for
example in the
case of insurance companies (even if they are subsidiaries of
banks) then changes
will be required. Such changes may be in the detailed business
lines and other
data categories, such as Products. For the Sector Databases, the
responsibility for
agreeing and documenting the reporting standards belongs to the
participants of
that database.
In any case, substantial incremental costs from deviating from the
standards of the
Global Database may be reflected in the costs of membership to the
respective
database.
1.4 GOVERNANCE OF ORRS
Changes to the Operational Risk reporting standards must be
approved by the
Board of ORX. The Definitions Working Group has the responsibility
for reviewing
the Operational Risk Reporting Standards and making recommendations
to the
Board of ORX.
The Definitions Working Group will review requests from individual
Members as
well as from the Quality Assurance Working Group.
The Definitions Working Group has the authority to generate and
publish
clarifications of definitions or additional examples of particular
situations. The
vehicle for these clarifications is ORRS Updates.
The Definitions Working Group has the authority to recommend
substantive
changes to the Board of ORX during the year. This category also
includes
recommending categories for industry events for Board endorsement.
The vehicle
for these substantive statements is ORRS Updates.
The Definitions Working Group will conduct an annual review of the
Operational
Risk Reporting Standards. Changes may be in response to ORRS
Updates since
the last review.
Page 8 of 60
2. DATA QUALITY GOVERNANCE
2.1 INTRODUCTION
This document, the ORX Operational Risk Reporting Standards, is
part of a wider
effort leading to Members receiving data from ORX that is fit for
purpose. While
ORX can support Members in achieving this standard, only Members
can deliver
the data that meets or exceeds the standards.
Members use the ORX data for a number of purposes, including:
direct inputs to Economic or Regulatory capital calculations
direct inputs or use in validating scenarios
benchmarking capital calculation results
assessing the Operational Risk performance of:
Businesses
Regional Managers
Although this document is updated periodically, Members are
encouraged to use
the ORRS Update process, operated by the Definitions Working Group,
as a mean
of clarifying the categorisation of losses.
In addition to this document ORX supports data quality through
processes operated
by the Quality Assurance Working Group (QAWG). The QAWG operates
four
quality related processes:
1. Data Cycle – Delivery Tests 2. Data cycle – In-Cycle Quality
Assurance Testing 3. Periodic Portfolio Review 4. Annual Data
Attestation Exercise
These processes are intended to support individual Members in their
data
deliveries as well as provide assurance to users of the data that
it is fit for purpose.
2.2 ORX REQUIREMENTS & PROCEDURES
Definition: Data Quality has a number of dimensions. From an ORX
perspective
the following five dimensions are assessed during the quarterly
data delivery
cycles.
Page 9 of 60
1. Timeliness of completing the data delivery, 2. Format of the
data submissions 3. Completeness of the data delivery, 4. Adherence
to the Operational Risk Reporting Standards, and 5. Responsiveness
to data delivery enquiries made by PwC.
The Annual Data Attestation exercise and Periodic Portfolio review
are additional
processes to ensure data quality and may have some overlap with
the
assessments conducted as part of the data cycle, but they also
capture additional
features.
The last item is included as an aspect of data quality as the
response time by
Members can affect the timing of the publication of data which can
have a knock-on
impact on the ability of Members to use the data.
Requirement: Members are required to provide data that meets the
requirements
of the ORX data quality dimensions 1-5 plus accuracy.
Members are expected to conduct an annual data quality review
involving an
independent party. This independent party does not have to be an
audit function
but could be from Credit or another function with experience of
categorising data. If
Members are performing data quality reviews for internal and/or
regulatory
purposes then that should also be satisfactory for ORX
purposes.
In the case of completeness of reporting, Members should be aware
of the choices
available for the reporting of reserves / provisions (Section
3.2.3), especially where
litigation is involved.
Background: The QAWG has specified a number of tests to be applied,
by the
ORX Secretariat, to data prior to publication to ORX Members as
well as the
Annual Data Attestation Exercise and Periodic Portfolio
Reviews.
ORX applies a number of pre-defined tests and reviews to the data,
prior to
distribution. The results of the tests are shared with PwC and PwC
is asked to
contact Members that reported particular loss events. Feedback from
the Member
to PwC is relayed back to ORX and the QAWG by PwC. The QAWG makes
the
decision as to whether the data is of adequate quality for
publication.
The range of tests is expected to evolve as experience is
accumulated and issues
are brought to the attention of the QAWG by ORX Members.
Operational Risk Reporting Standards 2011 12 July 2012
Page 10 of 60
3.1 OPERATIONAL RISK
3.1.1 OPERATIONAL RISK
Definition: “Operational Risk (OR) is defined as the risk of loss
resulting from
inadequate or failed internal processes, people and systems or from
external
events. This definition includes legal risk, but excludes strategic
and
reputational risk“ (see Basel II Accord section V. A. §644).
Cross-reference: In January 2001, the Basel Committee defined
Operational Risk
as used by ORX above. This definition has been applied within the
respective local
regulations, i.e. the European Commission’s Capital Requirement
Directive
2006/48/EC (CRD) for example as “Operational Risk means the risk of
loss
resulting from inadequate or failed internal processes, people and
systems or from
external events, and includes legal risk.”
Despite such differences in the texts, the definition of
Operational Risk within the
CRD should be read consistently with that of the Basel II Accord,
meaning that
reputational and strategic risks should be excluded from the scope
of Operational
Risk. (CEBS, 2009, Compendium). As an introduction to the details
of the topic,
the three paragraphs below are quoted from regulatory
guidance.
As part of the bank’s internal Operational Risk assessment system,
the bank must
systematically track relevant Operational Risk data including
material losses by
business line. It must have documented, objective criteria for
allocating losses to
the specified business lines and event types.
A bank's internal loss data must be comprehensive in that it
captures all material
activities and exposures from all appropriate sub-systems and
geographic
locations. Aside from information on gross loss amounts, a bank
should collect
information about the date of the event, any recoveries of gross
loss amounts, as
well as some descriptive information about the drivers or causes of
the loss event.
A bank must develop specific criteria for assigning loss data
arising from an event
in a centralised function (e.g. an information technology
department) or an activity
that spans more than one business line, as well as from related
events over time.
Operational Risk Reporting Standards 2011 12 July 2012
Page 11 of 60
Definition:
Legal Risk is the risk of loss resulting from exposure to 1) to
non-compliance with
regulatory and / or statutory responsibilities and/or 2) adverse
interpretation of
and/or unenforceability of contractual provisions. This includes
the exposure to
new laws as well as changes in interpretations of existing law(s)
by appropriate
authorities and exceeding authority as contained in the contract.
This applies to
the full scope of Group activities and may also include others
acting on behalf of
the Group. Legal Risk is a component of Operational Risk.
Cross reference:
Legal Risk includes, but is not limited to fines, penalties, or
punitive damages from
supervisory actions, or to judgments or private settlements (see
Basel II Accord
section V. A. §644 - Definition of Operational Risk) or to the
reduction in asset
values or cashflows.
Examples - Included in Reporting to ORX
Change over time, in the interpretation by judiciary, of “treating
customers fairly“. This may result in the original treatment being
classified as “unfair”.
Lack of Duty of Care or Negligence in executing
responsibilities.
Acting improperly in the termination of a finance agreement.
Inaccurately or incorrectly drafted contracts or errors or
omissions in documentation.
Lack of due diligence on the accuracy of claims or statements in a
prospectus for securities and/or underwriting.
Use of somebody’s Intellectual Property without appropriate
permission(s).
3.2 OPERATIONAL RISK EVENT
Definition: An Operational Risk event is an event leading to the
actual outcome(s)
of a business process to differ from the expected outcome(s), due
to inadequate or
failed processes, people and systems, or due to external facts or
circumstances.
ORRS Update:
ORX ORRS Update - (0026) Process PC0600 Stream-3 (Draft) 12 Aug
10.doc
Operational Risk Reporting Standards 2011 12 July 2012
Page 12 of 60
3.2.1 GROUPED LOSSES (VS SINGLE EVENTS)
Definition: Grouped losses are defined as losses with the same
underlying cause.
For risk calculation purpose and ORX reporting purpose these have
to be
considered as a single event.
Events can be Grouped within a Business Line and between Business
Lines (see
also Section 3.2.2).
Requirement: An event may have multiple associated losses. In such
cases, an
investigation may be necessary to identify the “root event”—that
is, the initial event
without which none of the related losses would have occurred. For
ORX purposes,
the root event is included in a single record, containing all
related losses, and is
classified according to its specific event characteristics.
Examples - Included in Reporting to ORX
• Repeated mistakes due to a failure in the Business Model, a
business
process or due to a flawed product are considered to be a single
event (e.g.in
certain products the bank performs a systematic rounding to its
benefit which
is later found to be an abusive market practice). Note: such OR
events are
often triggered by retrospective changes in law or interpretation
of law.
• Multiple refunds to clients are considered a single event when
there is a
common underlying allegation irrespective of the resolution of the
cases
through a class action lawsuit or individual lawsuits / voluntary
settlements.
(i.e. misstatement of issue prospectus, allegation that bank should
have
known of the deterioration of the condition of the financial asset)
Such events
may have a single provision set aside for all related claims.
• Multiple impacts from a single cause (e.g. many mis-priced
transactions from
a single incorrect piece of reference data, or refunds because
documents are
lost during a relocation), are considered to be a single
event.
• Fraud losses connected by a common plan of action (e.g., the same
scheme
being used to defraud many different victims, which may involve
many small
transactions or small losses, a common perpetrator or organized
criminal
group), are considered to be a single event
• A technology outage which affects multiple lines of
business.
• An individual or group which receives incorrect instructions
which results in
multiple losses should be aggregated due to the common cause.
Examples – Excluded from Reporting to ORX
• Multiple errors made by a single individual over a period of time
are treated
as single events and not to be grouped.
Operational Risk Reporting Standards 2011 12 July 2012
Page 13 of 60
3.2.2 LINKED EVENTS
Definition: A linked event is a single event which impacts more
than one business
line.
Requirement: In cases where an Operational Risk event impacts more
than one
Business Line; members should assign the event to the Responsible
Business - the
business in which the event began. If responsibility for an event
is factually unclear,
then responsibility can be assigned according to one of the
following rules which
provide an approximation for splitting an event to more than one
Business Line, for
example:
business process out of which the event arose
the P&L allocation can provide an approximation for splitting
an event to
more than one Business Line.
It should be noted that the splitting (and linking) of events is
not permitted for any
other category (e.g. Event Type, Product or Process).
Where the aggregated Gross Loss of all Grouped Losses reaches the
threshold for
Large Loss Events (currently €10 million), the Root Event is
considered a Large
Loss Event, for which additional Loss Attribute reporting is
required; again the
categories must be equal for all records reported to ORX.
Examples – Included in Reporting to ORX
For events like natural disasters, where there is no business that
is
responsible for the event, then the event can be assigned to
1 the business with the largest P&L impact, or
2 to multiple business lines based on P&L, split of the
incurred costs or
some other metric, or
3 or Corporate Items (this is the least desirable).
See next page for an Example of Relationship between Grouped, &
Linked Losses
Operational Risk Reporting Standards 2011 12 July 2012
Page 14 of 60
Example of Relationship between Grouped, & Linked Losses
There is a disease outbreak in Hong Kong affecting 3 business lines
and corporate
centre activities. Losses incurred are:
Late Transaction Settlement
Costs to disinfect building etc
Total
Corporate Centre (Finance)
100k 5k 105k
Total 100k 850k 205k 1,155k
Grouped Event: This is considered as one event for the firm with a
total loss
amount of 1,155k
Linked Event: This event affects multiple business lines so there
are 4 linked
records reported to ORX
Trading & Sales 400k
Retail Banking 300k
Asset Mgt 350k
Corporate Items 105k
Note that the event type is EL0501 - Disasters & Public Safety
/ Natural Disasters &
Other Events.
ORRS Updates:
ORX ORRS Update - (0011) Loss Allocation Legal Entities (Req) 8 Apr
10.Doc
ORX ORRS Update - (0012) Loss Allocation Products (Req) 4 March
2010.Doc
ORX ORRS Update - (0015) Classification of Root Events (Prop )22
Jun 10.doc
Operational Risk Reporting Standards 2011 12 July 2012
Page 15 of 60
Definition: Legal events are defined as dispute resolution
activities especially with
regard to legal risk (see Section 3.1.2). This may include
litigation, arbitration and
tribunals.
Requirement: A legal event is not an event type, it is in fact an
issue arising from
internal causes / failures and/or external causes. It encompasses
all active,
passive lawsuit (plaintiff /defendant) as well as out of court
settlement, defence
against frivolous and unsubstantiated claims.
Only legal events related to alleged or actual, operational risk
events experienced
by the Member are to be reported to ORX.
Reporting Legal Event Costs to ORX
Formal Notification of Action via Court, Arbitration, Tribunal or
Expert Panel
/ Decision to Settle - In or Out of Court
OR Defendant
Any costs + fines reported to ORX
OR Plaintiff
Non-OR Event
Any costs + fines not reported to ORX
Is the underlying
For reporting, the event type classification follows the underlying
allegation of the
claim (for example “Suitability, Disclosure & Fiduciary”
EL0401), the Date of
Discovery is earlier of the date the claim is received by the bank
or the event is
discovered, the Date of Recognition is the date the first cost has
been accounted
for in the P&L and gross loss, for reporting to ORX, includes
external lawyers fees,
court fees, other Litigation expenses etc. as well as the cost of
settlement.
Where the bank initiates (as plaintiff) a legal event the
underlying Operational Risk
loss must be recorded. External legal costs are to be reported as
they are incurred
provided the underlying event is an operational risk event. The
verdict or
Operational Risk Reporting Standards 2011 12 July 2012
Page 16 of 60
settlement received from the defendant (if any), is considered a
recovery. Where
operational risk event is not alleged or experienced by the Member,
then such legal
costs are not to be reported to ORX.
If the firm’s costs are to be paid by the counterparty, as
determined by the court or
tribunal etc., then the amount paid by the counterparty is treated
as a Direct
Recovery. (It is treated as a Direct Recovery, and not as a Rapid
Recovery, as
payment may take more than 5 business days to receive.)
In case that the existence of an underlying Operational Risk event
is determined
through a court decision, the event must only be reported at the
settlement of the
legal event. E.g. a former employee (fund manager) or partner of
the bank is sued
for alleged fraud; the court finds no evidence; he was only a poor
fund manager. As
there is no underlying Operational Risk event there is nothing to
report to ORX.
A member has the option to report a reserve/provision for a legal
event at the
settlement date due to concerns related to “Discoverability” or
other legal issues.
The event is to be reported as soon as the legal impediment is
removed and/or the
case is settled. This rule does not apply when the bank publicly
discloses the
provision amount.
Examples – Included (non-exhaustive list) in Reporting to ORX
• Following a legal event, the bank has to bear legal costs but is
compensated by the
counterparty. The costs are to be entered as OpRisk losses (legal
costs), the
compensation from the counterparty as direct recovery.
• Following a legal event, the bank has to bear legal costs. The
costs are directly
paid by the counterparty to the recipient (law firm, court, etc.).
These costs are
not included in the gross loss amount.
• A bank enters a lawsuit on January 1st, legal fees arising during
the year and
subsequently are reported to ORX as they are incurred or
provided/provisioned for. The settlement amount may be reported at
the
settlement date for discoverability reasons.
• Litigation resulting in a loss due to a fraud event (internal or
external), where
the firm had duty to prevent (as in forged checks, unauthorized
credit card
use, control of own employees, etc.);
• Successful legal defences where the full costs are not born by
the
counterparty
mark-to-market errors in institutions’ financial accounts
• Violations of employment laws (including laws prohibiting
discrimination);
• Losses for which the firm may bear vicarious liability;
• Loss resulting from accident/injury for which the firm may be
legally
responsible;
• Failure to follow regulatory prescriptions resulting in fines or
assessments
(taxes, money laundering, etc.);
Page 17 of 60
• Losses due to retroactive changes in laws or regulations
affecting the firm’s
business, even though they may not be avoidable (this constitutes
an
external impact). (changes in tax jurisdiction etc.);
• Misuse of third party intellectual property, patents, etc.;
• Fiduciary duty/conflict of interest violations;
• Consumer protection law/securities law/common law
fraud/commercial
conduct violations;
outsourcing partners)
• Obligation to make client whole for losses resulting
mismanagement of client
property or transactions;
• Refunds (or discounts of future services) to customers caused by
Operational
Risk events, before the customers can lodge a complaint but, for
example,
after the institution has already been legally required to refund
other
customers for the same event;
• If a firm has suffered an Operational Risk loss as a victim
(e.g., from unfair
competition, contract violation, etc.) and seeks recovery through
litigation
A trader is dismissed for alleged rogue trading after causing
trading losses of
€10m. The bank initiates litigation with the trader, who claims "no
wrongdoing". If
the trader wins, the loss is not Internal Fraud (EL01), but could
be some other form
of Operational Risk or Market Risk. It is not always certain, at
the time the action is
initiated, that this is an operational risk event. As a result, the
reporting of losses
including legal fees can only take place once the case is
settled.
Examples – Excluded from Reporting to ORX
• If there is no underlying OR event then there is nothing to
report to ORX,
irrespective of whether the firm has incurred expenses
• Use of external counsel / attorneys for general advice, document
preparation
or review, legislative representation, etc. outside the context of
a specific
dispute or litigation.
• Technical litigation (inter-pleader, quiet title actions, etc.)
in which the firm is
not a substantive stakeholder.
• Court / tribunal / arbitration settlements which are used in
certain jurisdictions
as a standard procedure to determine a final payoff to an employee
at
retirement or when terminating a work contract (without any
allegation of any
wrongdoing on any side) whereas in other jurisdictions the amount
of a
settlement is determined via defined rules / laws.
• Legal costs and attorneys fees for credit/collection cases or
other disputes
not involving an Operational Risk event.
Cross-Reference:
Observation & Discovery Date Section 3.3.1
Provisions Section 4.2.5
Page 18 of 60
ORRS Updates
ORX ORRS Update - (0006) Legal Risk No Blame (Req) 10 Dec
09.Doc
ORX ORRS Update - (0008) Legal Risk External Fees (Req) 10 Dec
09.Doc
ORX ORRS Update - (IE0013) Payment Protection Insurance (Rec) 7 May
10.Doc
3.2.4 TAX EVENTS
Definition: Tax events are defined as fines, penalties and legal
costs from tax
authorities on tax due to bank operations and in addition the
unpaid tax when
performing a service on behalf of clients. These Tax Events are a
consequence of
a prior event that led to the sanctions being applied by the tax
authorities. As a
result, Tax Events should be allocated to the event category that
gave risk to them,
for example EL0402 Improper Business or Market Practices.
Payment by: External
(e.g. clients, employees)
interest OpRisk loss not reported OpRisk loss
tax payment not reported not reported OpRisk loss
fine
interest
Examples – Included in Reporting to ORX
When performing a service on behalf of a client, the unpaid tax
which can be
claimed from the recipient of the service (i.e. client) is part of
the loss, any
recovery from a client would be considered as such.
Withholding Tax claimed by Tax Authorities, not charged to the
customer,
due to misinterpretation of Regulation or procedural error (when
the Banks
acts as an agent of the Tax Authorities).
Tax penalties and associated interest or regulatory fines
Tax penalties and associated interest incurred when performing a
service as
an agent on behalf of the customers are treated as an Operational
Risk
event.
Examples – Excluded from Reporting to ORX
Late Tax payments to Tax Authorities are not considered Operational
Risk
losses (even if they are disputed at court) as they may be regarded
as timing
impacts (see Section 3.3.2).
3.3 OPERATIONAL RISK LOSS
Page 19 of 60
Definition: An Operational Risk loss is a negative and quantifiable
impact on the
P&L of the firm due to an Operational Risk event:
Requirement: ORX requires you to report all events where the gross
loss is
greater-than-or-equal-to EUR 20,000. It is in the responsibility of
a member to
ensure the collection and reporting of all Operational Risk events
where the EUR
20,000 threshold applies. Whether to collect Operational Risk
events below EUR
20,000 for internal purposes is left to the member – at present
reporting of these
events to ORX is not necessary.
3.3.1 LIFECYCLE OF AN OPERATIONAL RISK LOSS
Definition: Three important dates in the life cycle of an OR event
are:
1 Date of Occurrence: the date when the event happened or first
began,
2 Date of Discovery: the date on which the firm became aware of
event, and
3 Date of Recognition / Accounting Date: the date when a loss
or
reserve/provision was first recognized in the P&L
Requirement: ORX requires the submission of three dates
(occurrence, discovery,
recognition / accounting) in connection with each event
record:
For grouped losses the first date (occurrence, discovery,
recognition) always used
even if multiple losses are posted at different times in the
General Ledger (Section
3.2.1). The event will subsequently be updated as the financial
impacts are
incorporated over time. The dates are generally constant over the
lifecycle of an
OR Loss.
Example – Included in Reporting to ORX
A theft was perpetrated on November 10, 2003 [date (1)]. The theft
was
identified on December 15, 2003[date (2)]. The loss was booked in
the P&L
on January 15, 2004 [date (3)]. This event will be reported as a
Q1-2004 loss
for ORX.
Example – Excluded from Reporting to ORX
Losses which are not recognized in the P&L, are not reported to
ORX
3.3.2 TIMING LOSSES
Definition: Timing losses are due to Operational Risk events which
result in the
temporary distortion of an institution’s financial accounts (i.e.
material misstatement
of the institution’s financial statements).
Requirement: Timing Losses should NOT be included in the ORX
submission.
However, an initial timing loss may lead to an OR loss, which must
be submitted.
This is a deliberate difference from the CEBS “Compendium of
Supplementary
Guidelines on implementation issues of Operational Risk" p
11.
Operational Risk Reporting Standards 2011 12 July 2012
Page 20 of 60
Background: Although Timing losses are not reportable to ORX, it is
considered
useful for members to collect them in their databases for risk
management
purposes.
Examples – Included in Reporting to ORX
An accounting error is made which results in the incorrect
reporting of
financial statements. As a result a fine is incurred. The fine is
to be reported
as an Operational Risk loss event (and NOT the correction of the
financial
statements).
An account error is made which results in the incorrect reporting
of financial
statements. As a result a class action suit is filed and a
settlement is made.
The legal loss is to be reported as an Operational Risk loss event
(and NOT
the correction of the financial statements).
In 2011 it was discovered that the P&L has been misstated for
two financial
years. The company expects a class action (e.g. as a consequence of
a
fallen share price) and therefore sets a provision aside. As this
timing loss
gives raise to legal risk and the P&L was misstated for over
two periods, this
timing loss is reportable to ORX. The reportable amount consists of
the
amount of the provision NOT the restatement of the P&L.
3.3.3 PENDING LOSSES
Definition: Pending losses are defined as losses from Operational
Risk events
which are temporarily booked in transitory and/or suspense accounts
and are not
yet recognized in the firms P&L.
Requirement: These events should NOT be reported to ORX,
Examples – Excluded from Reporting to ORX
• Funds are recovered through right of offset – i.e. funds are
available in
another account held by the customer and recovered from that other
account
• Payment issued to wrong counterparty and the open position is
posted to a
suspense account.
Page 21 of 60
3.4 BOUNDARY BETWEEN OPERATIONAL AND OTHER RISKS
The definition of “Operational Risk” is broadly worded to include
all elements of an
Operational Risk. But the wording could also be interpreted too
broadly to include:
certain non-operational events, as many business risk events from
other risk
types (details outlined in sections below) could technically be
included within
the phrase “inadequate or failed internal processes, people.”
events that have OR aspects, but are already included in the
capital regimes
of other risk types, especially Credit Risk and Market Risk. The
principle here
is to avoid double counting.
Therefore, this section intends to provide clear guidance on the
boundaries of OR,
i.e. to define which events are reportable and which are not; thus
the following
boundary issues are addressed within this section:
Credit Risk,
Market Risk,
Liquidity Risk,
Strategic Risk,
Business Risk,
Reputational Risk.
Requirement: Where the boundary relates to a risk category that
also attracts
regulatory capital then the overriding principle is that a firm
only provides capital for
the loss once. Under these circumstances the question is one of
whether the
capital calculation captures the risk / single loss data record.
This rationale still
applies even if the firm is using Standardized or Basic Indicator
approach to
determining capital for these risk categories.
3.4.1 CREDIT RISK
Definition: Credit risk is the risk of loss due to counterparty
default - failure to meet
a contractually pre-determined obligation.
Requirement: For ORX purposes, all individual Credit losses
(provisions or
depreciations based on the member bank's standards) above a
threshold of €500k
(a member may use lower thresholds internally are to be reviewed
for the existence
of an Operational Risk component. Where an Operational Risk
component exists
and the impact is equal to or above €20k, then event must be
reported to ORX. If
the OR component is within the Credit Risk regime (i.e. accounted
for in the P&L as
a credit loss AND reflected in Credit Risk Modelling), it is to be
flagged as OR
driven Credit Risk, if not, it is outright OR.
Operational Risk Reporting Standards 2011 12 July 2012
Page 22 of 60
A member should report the OR component. If the Member is unable
to
identify the OR component then the full loan amount should be
reported as
an OR driven credit risk event.
Background: It is a Basel requirement for banks to record OR losses
within Credit
in their OR loss databases. Such events are characterized by the
fact that they are
OR by nature, however the loss due to default is already reflected
in the Credit Risk
capital calculations. To avoid double-counting, such OR losses
within Credit are to
be flagged and to be excluded from OR capital calculations.
Credit losses are usually either booked on specific accounts or
embedded in
trading P&L. Thus it is generally necessary for the OR function
should see to it that
employees involved in the credit risk related processes are trained
in recognising
operational losses to establish processes for analysis and
recording of the OR
component within these losses. As a consequence, for a number of
Members, it
can be the Credit Risk Impairment Team that is involved or even
determines
whether part of the loss is OR driven Credit risk and therefore
justifies the “C” and
reporting to ORX. It is important therefore that the Operational
Risk management
function liaise with their Credit counterparts to promote
consistency between firms
on the implementation of the Credit Risk Flag.
As this boundary is both accounting standard dependent and firm
specific, it is
acknowledged that in some cases the boundary defining credit losses
may be
drawn differently in member firms for the same type of loss.
However, the
ambiguity is not considered higher than in the credit processes
themselves, i.e. the
ambiguity is acceptable.
ORX ORRS Update - (0005) Madoff A (Req) 10 Dec 09.Doc
ORX ORRS Update - (0009) Trading Bk Risk Boundaries (Req) 5 Nov
09.Doc
ORX ORRS Update - (0010) Credit-OR Boundary Example (Req) 10 Dec
09.Doc
Examples – Included in Reporting to ORX (Operational Risks within
Credit)
• Collateral failure: failure to properly apply for loan insurance,
failure to make
a public filing needed to “perfect” a security interest, failure to
monitor
collateral and make timely collateral calls, etc. In such cases,
only the lost
collateral value is reported to ORX (which may be lower than the
full default
amount);
• Procedural failure: where processing errors prevent recovery on a
loan or
actually enable a loss, as where a cash advance is made on a credit
facility
that was earlier cancelled by the loan officer;
• Fraud: loans obtained in a fraudulent transaction;
• Legal issues: loan documents may contain legal defects (invalid
clauses,
ambiguous terms, etc.);
• Scoring models: errors in scoring models may result in the
approval of
transactions that would not be admitted;
Operational Risk Reporting Standards 2011 12 July 2012
Page 23 of 60
• Sales practices: certain sales practices may result in credit
defaults.
• For capital purposes, any write-down due to loss of recourse may
be
considered credit loss.
• OR Losses are incurred because of technical errors by the lead
bank in a
loan syndicate. Syndicate Members agree to absorb part of the cost,
since
they recognize that they could have detected the lead bank’s error
at an
earlier date. This is a direct recovery for the lead bank, and a
gross loss for
the syndicate members.
Cross-reference: Basel II Accord section V. A
Para 101 Operational Risk losses that are related to credit risk
and
have historically been included in banks’ credit risk databases
(e.g.
collateral management failures) will continue to be treated as
credit risk
for the purposes of calculating minimum regulatory capital under
this
Framework. Therefore, such losses will not be subject to the
Operational Risk capital charge.
Para 102 Nevertheless, for the purposes of internal Operational
Risk
management, banks must identify all material Operational Risk
losses
consistent with the scope of the definition of Operational Risk (as
set
out in paragraph 644 and the loss event types outlined in Annex
7),
including those related to credit risk. Such material Operational
Risk-
related credit risk losses should be flagged separately within a
bank’s
internal Operational Risk database. The materiality of these losses
may
vary between banks and within a bank across business lines
and/or
event types. Materiality thresholds should be broadly consistent
with
those used by peer banks.
Please note that an ORX project is currently working on further
refinement of this
section.
3.4.2 MARKET RISK
Definition: Market risk is defined as the risk of loss due to
market prices changes
on outstanding positions, due to discretionary market
judgements.
Requirement:
OR events within a bank that either cause a market risk loss or
where market
risk drives the severity are to be reported as an OR loss.
OR events outside the bank that cause market risk losses within a
bank or
increase their magnitude are NOT to be reported. Only exception:
External or
Internal fraud directly against the bank.
Background: The original Basel II Accord has almost no guidance on
the OR/MR
boundary, and the ORRS version from 2007 also has limited coverage.
In the
meantime, the CEBS has published a compendium and ORX already
has
Operational Risk Reporting Standards 2011 12 July 2012
Page 24 of 60
published case law on the topic, addressing major events that have
occurred in the
meantime. ORRS is in line with CEBS.
Examples – Included in Reporting to ORX:
• Rogue trading
• Human errors in transactions originated in market areas (e.g. fat
finger, buy
instead of sell). The amount to be reported is the amount of the
mark-to-
market impact in the in the daily (trading) P&L when discovered
plus costs to
unwind positions.
deficiencies, missed deadline)
• Stop loss or position limit violation: losses incurred from
failure to properly
execute a stop loss or excess of approved limits will be
considered
operational (only the amounts in excess of the stop loss or limit
will be
recorded).
• Reimburse clients for alleged improper due diligence before fund
sales.
• A security is bought when a sale was intended and the error is
detected the
same day, the market value on the day of the transaction is
utilized for
purposes of calculating impact, even if the security is held for
period of time
afterwards until a more favourable market environment develops. In
this case
impact is determined at the time the event is discovered.
Examples – Excluded from Reporting to ORX: (“OR driven MR”)
• Enron balance sheet fraud impacting market price of Enron shares
in trading
book
• Fraud at an (external) SPV impacting the market price of a
security in the
bank’s trading book
• Terrorist attack destroying assets of a firm held in private
equity portfolio (on
bank account)
• Market risk losses (e.g. trading losses, incorrect investment
decisions) are
not considered OR.
ORRS Updates
ORX ORRS Updates - (0005) Madoff A (Req) 10 Dec 09.Doc ORX ORRS
Updates - (0009) Trading Bk Risk Boundaries (Req) 5 Nov 09.Doc ORX
ORRS Updates - (IE0001) Visa (Req) 23 Apr 10.Doc
Cross-reference: Basel 2 CRD
Operational Risk losses that are related to market risk are treated
as
Operational Risk for the purposes of calculating minimum
regulatory
capital under this Framework and will therefore be subject to
the
Operational Risk capital charge.
Page 25 of 60
3.4.3 STRATEGIC RISK
Definition: “Strategic risk is defined as negative effects on
capital and earnings
due to business policy decisions, changes in the economic
environment, deficient
or insufficient implementation of decisions, or a failure to adapt
to changes in the
economic environment.“
Strategic risk losses occur when conscious business decisions in an
uncertain
environment (without any OR components like process failures or
guideline
breaches) retrospectively turn out to be wrong. They are often —
but not always —
associated with senior management decision making,
Requirement: Strategic Risk Losses are not recordable in the ORX
database as
they are not OR based on the Basel definition. This also holds for
the strategic
components of Project Risk (see section below).
Examples - Excluded from Reporting to ORX
• Decisions to invest in new business lines, products, assets,
markets,
services, equipment, projects, etc.;
• Merger and acquisition decisions;
• Regional or local based strategy (opening and closing branches
or
processing centres, etc.);
• Personnel hiring and termination decisions (unless carried out in
a manner
that violates legal or contractual requirements). See event
category
“Employee Relations” (Section 5.2 and the Appendix) for a more
detailed
explanation.
• Goodwill payments: The acceptance for relationship purposes of a
loss (or
making up for client’s losses) for which a client bears full
responsibility is a
strategic decision, and thus is not recordable. However, this
applies only
where the client is entirely at fault and the bank has filled its
obligations (for
instance reminding the client of their obligations on a timely
basis). This does
not excuse a case in which the firm books client fees but neglects
to send
bills for an extended period, and then decides to “forgive” the
obligation when
the mistake is finally discovered.
ORRS Updates
ORX ORRS Update - (0002) Strategic Risk (Req) 23 Apr 10.doc
ORX ORRS Update - (0003) Project Risk (Req) 10 Dec 09.Doc
ORX ORRS Update - (0004) Strategic Risk Goodwill (Req) 23 Apr
10.Doc
Operational Risk Reporting Standards 2011 12 July 2012
Page 26 of 60
3.4.4 PROJECT RISK
Definition: A project is a temporary endeavour undertaken to create
a unique
product, service or result. A project has a definite beginning and
end. The
end of the project is reached when the project’s objectives have
been
achieved or when the project is terminated because it will not or
cannot
achieve its objectives, or the need for the project no longer
exists.
Project Risk is the Risk that the project does not:
Provide the agreed functionality, and/or
Complete within the Budget, and/or
Complete on time.
Requirement: Based on the definition of Strategic Risk above,
project risk losses
incurred due to incorrect judgment and bad decisions are Strategic
Risk and thus
not reportable to ORX as they are not OR based on the Basel
definition.
Examples – Included in Reporting to ORX:
“Normal” Operational Risk events that happen during the project are
recognised as
OR losses and are reportable to ORX (e.g. late or duplicate
payments, frauds,
guideline breaches)..For such individual events the decision as to
whether they are
included in Operational Risk reporting or not is based upon
considering the event in
isolation of any projects.
Examples – Excluded from Reporting to ORX:
Budget overruns, “scope creep” and project cancellations are not to
be reported.
The underlying judgments and decisions are similar to decisions to
invest in new
business, which may go wrong in a similar manner.
ORRS Updates:
ORX ORRS Update - (0002) Strategic Risk (Req) 23 Apr 10.doc
ORX ORRS Update - (0003) Project Risk (Req) 10 Dec 09.Doc
3.4.5 BUSINESS RISK
Definition: Business risk is defined as the risk that volumes may
decline or
margins may shrink, with no opportunity to offset the revenue
declines with a
reduction in costs. Business Risk captures the risk to the firm’s
future earnings,
dividend distributions and equity price.
Requirement: Business Risk losses are not recordable in the ORX
database.
Examples of Business Risk – Excluded from Reporting to ORX:
Operational Risk Reporting Standards 2011 12 July 2012
Page 27 of 60
• Business risk measures the risk that a business may lose value
because its
customers sharply curtail their activities during a market
down-turn or
because a new entrant takes market share away from the bank.
• This risk increasingly extends beyond balance-sheet items to
fee-generating
services, such as origination, cash management, asset
management,
securities underwriting and client advisory services.
• Business Risk incorporates decisions around the mix of cost
types, for
example variable, semi-variable, semi-fixed and fixed costs. The
cost of
postage is a variable cost as it would not be incurred without
having
something to post. However, the cost of notifying a counterparty
about a
transaction is largely fixed due to the investment in computer
systems and
these costs would be incurred even if the transaction had not been
executed.
Cross-reference: (Basel Committee published "Ranges of Practices
and Issues in
Economic Capital Frameworks" (March 2009) page 25)
3.4.6 REPUTATIONAL RISK
Definition: Reputational Risk is defined as the damage to the
firm’s reputation with
relevant external parties, such as counterparts, clients, the
shareholder community,
governments, regulators etc.
Requirement: Reputational Risk is not recordable as an Operational
Risk loss.
This is true both
where the entire impact of an event is reputational, and
where reputational damage is one impact of an event that also has
other,
recordable losses (in this case only the recordable losses are
submitted as
an OR event to ORX).
3.4.7 LIQUIDITY RISK
Definition: The risk of loss arising from a situation where (1)
there will not be
enough cash and/or cash equivalents to meet the needs of depositors
and
borrowers, (2) sale of illiquid assets will yield less than their
fair value, or (3) illiquid
assets cannot not be sold or purchased at the desired time due to
lack of market
participants or capacity.
Funding Liquidity Risk is defined as the risk that the firm will
not be able to meet
efficiently both expected and unexpected current and future cash
flow and
collateral needs without affecting either daily operations or the
financial condition of
the firm.
Market Liquidity Risk is the risk that a firm cannot easily offset
or eliminate a
position at the market price because of inadequate market depth or
market
disruption.
Requirement: Neither of the two aspects of liquidity risk is
reportable to ORX.
Operational Risk Reporting Standards 2011 12 July 2012
Page 28 of 60
QUANTIFICATION
4.1 GENERAL PRINCIPLES
An Operational Risk event is not subject to ORX reporting unless it
has a
quantifiable negative impact on the P&L of the firm. Such
impacts may be reflected
anywhere in the P&L of the firm, and multiple impacts must be
aggregated for
submission. The quantifiable impacts are described below as Gross
Losses and
Recoveries (direct and indirect).
Splitting events is allowed when multiple Business Lines are
impacted, even if the
event is reflected as a single item in the accounts at Corporate
level (see 5.3). In
this case related events must be linked. It should be noted that
the splitting (and
linking) of events is not permitted for any other category (e.g.
Event Type, Product
or Process).
ORRS Updates
ORX Case Law - (0011) Loss Allocation Legal Entities (Req) 8 Apr
10.Doc
ORX Case Law - (0012) Loss Allocation Products (Req) 4 March
2010.Doc
4.1.1 GROSS LOSS
Definition: Gross Loss equals the sum of all P&L impacts
related to an Operational
Risk event before recoveries. Operational Risk gains, opportunity
losses (Section
4.2.2), internal costs (overtime, bonus etc.) and timing losses
(Section 3.3.2) are
not reported to ORX although they may be collected internally by
member banks.
In a few cases the Gross Loss may be based upon a definable or
quantifiable
economic impact upon the firm. Examples include uncollected revenue
associated
with contractual obligations and depreciated Fixed Assets,
Investment Assets and
Intangibles (Section 4.2.4).
Requirement: Gross Loss above the reporting threshold is reportable
to ORX.
Examples – Included in Reporting to ORX - For ORX purposes, the
following
specific items are included in Gross Loss computation:
Charges to P&L and write-downs due to Operational Risk
events;
Uncollected Revenues and Negative Revenues;
External costs of repair or replacement made to restore the firm to
its original
pre-event position;
External attorney fees paid in connection with Operational Risk
litigation;
Operational Risk Reporting Standards 2011 12 July 2012
Page 29 of 60
Payments made to third parties for lost use of funds, net of
amounts earned
on funds held pending a late payment.
A single event can cause both positive and negative P&L
impacts. An
example is a system outage in a bank, causing all trades in a
location to be
executed one day later. This may have a positive impact on some of
the
trades and a negative impact on others, depending on market
movements
and the trade details. These impacts are to be netted, as they are
all
components of the Gross Loss (i.e. the positive components are not
to be
considered recoveries as described below). If the net amount is a
loss and
exceeds the threshold, it is to be reported. In a special case this
may even
lead to the following submission to ORX: two linked events of €100k
(loss) in
Global Markets and -€50k (gain) in Equities. The reference business
line
should be the one where the losses occurred, as opposed to any
gains).
ORRS Updates
ORX ORRS Update - (0010) Credit-OR Boundary Example (Req) 10 Dec
09.Doc
ORX ORRS Update - (IE0013) Payment Protection Insurance (Rec) 7 May
10.Doc
4.1.2 RECOVERIES
Definition: In some instances, Operational Risk losses can be
reduced after–the-
fact by recoveries. A recovery is an independent occurrence,
separate in time from
the original event, in which funds are recovered or contributed,
usually from or by a
third party. Recoveries may be direct or indirect. An indirect
recovery is generally
an insurance recovery (capital market products maybe there in the
future). A direct
recovery is any payment (other than an indirect recovery) received
by the bank
which offsets the loss.
Requirement: The reporting threshold for ORX submissions applies to
the Gross
Loss before any recoveries. Recoveries can only be recognised if
the initial Gross
Loss has been recognised in the P&L, i.e. recoveries are not
appropriate for items
in suspense accounts.
Indirect recoveries are reportable to ORX, including those received
from
independent, regulated captive insurance companies (i.e. the
indirect recoveries
may be accepted by the firm’s local regulator as eligible for
capital reduction).
Examples – Included in Reporting to ORX:
• Payments received from an insurance company as a result of a
claim made
by the bank against an insurance policy is an indirect
recovery.
• A firm incurs losses for which it initiates legal action (as
plaintiff), claiming
antitrust violations. Amounts received in settlement of the
litigation represent a
direct recovery relative to the original losses, for example
external legal fees.
(see Legal Events Section 3.2.3)
Operational Risk Reporting Standards 2011 12 July 2012
Page 30 of 60
ORRS Updates
ORX ORRS Update - (0010) Credit-OR Boundary Example (Req) 10 Dec
09.Doc
4.2 SPECIAL CASES
4.2.1 RAPID RECOVERIES
Definition: ORX defines a rapid recovery as a P&L loss that is
fully or partially
recovered within no more than 5 business days from the Date of
Recognition.
Requirement: Rapid recoveries are not separately reportable. A
Rapid Recovery
within the 5 business days can thus be deducted from the gross loss
OR reported
as a direct recovery.
• Payment made to wrong counterparty, the counterparty identifies
the error
and returns the entire payment within 5 business days of being
initially posted
to the P&L. As the Initial Loss and the Rapid Recovery net to
€0 the event is
considered to be a “near miss”.
• A single error in payment system results in €100,000 being
overpaid to two
counterparts. One counterpart returns €65,000 within 2 business
days of the
overpayment. Gross Loss reported to ORX is €35,000 (= €100,000
-
€65,000).
• A single error in payment system results in €100,000 being
overpaid to two
counterparts. One counterpart returns €65,000 within 2 business
days of the
overpayment. The outstanding €35,000 is repaid after 15 business
days.
The Gross Loss reported to ORX is €35,000 with a Direct Recovery
of
€35,000.
• For losses from misdirected payments this means that they should
only be
reported if they have not been fully recovered 5 business days
after they
have been booked from suspense account to P&L.
• A misdirected wire transfer not detected for several months, and
once
discovered the payment is not immediately returned on a voluntary
basis.
The firm books a loss on the P&L. After further negotiation,
the firm is able to
regain the funds after more than 5 business days. The event is
reportable to
ORX, the recovery is classified as a direct recovery.
• An erroneous wire transfer is made on June 29, the policy of the
firm is to book these to P&L. The provisional P&L on the
quarter end shows the wire transfer as a loss. On July 2 the firm
recovers all of the money and makes a prior period accounting
adjustment, within the 5 business day window for rapid recoveries.
The net amount after recovery is €0. In this case the prior period
accounting adjustment must be reflected in the amount reported to
ORX to avoid inappropriate volatility in data used by ORX Members
due to the use of the provisional accounts as opposed to the final
accounts.
Operational Risk Reporting Standards 2011 12 July 2012
Page 31 of 60
ORX ORRS Update - (0022) Rapid Recoveries (Draft) 27 Aug
10.Doc
4.2.2 REVENUE ADJUSTMENT
Definition: Revenue Adjustment is where the impact of an
operational risk event is
incorporated into the revenue stream rather than being entered into
a general
ledger error account or the equivalent.
Requirement: Revenue Adjustments that are negative are to be
reported to ORX.
By their very nature the impact of operational risk events
resulting in Revenue
Adjustments may not be fully reflected in the General Ledger. As a
result events,
that generate losses, which have been disclosed internally and are
traceable will be
reported to ORX. It is recognised the Members who use the general
ledger as a
reference will not be able to quality assure these Revenues
Adjustments with the
same degree of certainty over completeness or amount. As a result
events which
have been disclosed internally and are traceable will be reported
to ORX.
Revenue Adjustments which represent gains may be captured by
Members to
provide a more complete picture of operational risk events.
Examples – Included in Reporting to ORX
A trader executes a transaction, for a client ,the wrong way round,
for
example a buy instead of a sell. Upon identification reverses the
transaction
incurring a loss. The loss is incorporated into the daily P&L
of the trader.
A trader executes a transaction, as principal, and executes the
wrong
amount. Upon identification an adjustment is made to the position
on the
firm’s balance sheet incurring a loss. The loss is incorporated
into the daily
P&L of the trader.
4.2.3 UNCOLLECTED REVENUE
Definition:
Uncollected revenue is defined as revenue which is not collected
due to an
operational risk event.
Requirement: Uncollected revenue is reportable to ORX when:
There is an explicit decision not to collect revenue as a means
of
compensation following an operational risk event despite the
existence of a
contractual obligation on the side of the client.
It is not realized as a result of an operational risk event and
where the client
does not have the contractual obligation to compensate the
firm.
Operational Risk Reporting Standards 2011 12 July 2012
Page 32 of 60
It is not realized as a result of an operational risk event by the
firm in the
execution of the contractual obligation.
By their very nature the impact of operational risk events
involving Uncollected
Revenue may not be fully reflected in the General Ledger. As a
result events
which have been disclosed internally and are traceable will be
reported to ORX. It
is recognised the Members who use the general ledger as a reference
will not be
able to quality assure these Uncollected Revenues with the same
degree of
certainty over completeness or amount. As a result events which
have been
disclosed internally and are traceable will be reported to
ORX.
Examples – Included in Reporting to ORX
The bank decides to not charge a client the full fee in
compensation for an
operational risk event involving the client caused by the bank.
The
compensation is the amount to be reports as Gross Loss. (The bank
decides
to reduce or waive its fee for the next 6 months to compensate for
a separate
operational risk event).
The bank compensates a client for an operational risk event through
a
revenue adjustment (suspension of a fee) rather than a
compensation
payment. An asset manager has an operational risk event (i.e.
trading error)
and compensates the client through a revenue adjustment (waiving
or
reducing contractual fees for a period of time).
The bank charges a lower fee than contractually required due to
an
operational risk event. The bank decides not to claim the amount.
(The
contractual obligation was at 1.9% and the bank charged the client
0.9%
interest due to an setup error and has made a decision not to go
after the
1%.) This amount is to be reported as a Gross Loss.
Examples – Excluded from Reporting to ORX
A bank issues an invoice to a client. The client does not pay. This
constitutes
uncollected revenue and is contained within credit risk. No
operational risk
event occurred.
A product launch is cancelled due to an operational risk event. The
budgeted
revenue does not reflect a contractual obligation. This is an
opportunity cost.
A trader can not trade due to a power failure. The revenue that the
trader
wishes to have made is not a contractual obligation and constitutes
an
opportunity cost.
A business unit is suspended due to regulatory sanction from
conducting
specific types of revenue generating activities. The uncollected
revenues
during the period of suspension are opportunity costs due to the
lack of
contractual relationship with clients.
Page 33 of 60
An ATM machine fails over a weekend. Any uncollected revenues that
might
have been generated are opportunity costs due to lack of
contractual
agreement with clients to use one or more ATMs.
Undercharging or overcharging for product or services as the
settlement
amount would be treated as a timing error. E.g. wrongly overcharged
interest
rates or fees which are later refunded to the client. Although the
event can
be caused by operational risk, e.g. procedural failures or human
mistakes,
this is a timing error as the balance sheet / P&L is the same
as it would have
been if the error had not taken place.
4.2.4 FIXED ASSETS, INVESTMENT ASSETS, AND INTANGIBLES
Definition: The Gross Loss for Fixed Assets, Investment Assets and
Intangibles
deviates from using “book value” accounting standards to economic
value.
Economic value can be considered to be the cost of replacement.
This is due to
these accounting standards being established for purposes other
than OR
Management purposes.
Requirement: The following rules will apply for ORX
reporting:
• If the damaged/lost asset is replaced, the recordable loss amount
will be the
replacement cost, on a net present value basis. For this
purpose:
1 Replacement cost is determined by the actual invoice or amount
paid, or
the present value of a new financing obligation;
2 Relative costs of maintenance or operation (e.g., of a new
building versus
a destroyed building), are not to be taken into account;
3 Enhancements are not part of replacement cost, but general
improvements in replaced equipment, (e.g., due to interim
technological
advances), are not “enhancements”.
• If a damaged/lost asset is not replaced, then the market value,
if any, of the
asset just prior to the event, will be recorded. In case there is
no way to
obtain the market value, then the book value will be used.
Note: This means that the loss will deviate from the P&L
impact.
Any insurance recovery received will be reported as an indirect
recovery.
Background: It is understood that accounting rules for fixed assets
and intangibles
will vary according to country. The rules above aim at reporting
the economic
impact and to ensure that events are reported similarly without
regard to origin.
Examples – Included in Reporting to ORX:
• Destruction of a building that is fully depreciated
Examples – Excluded from Reporting to ORX:
Operational Risk Reporting Standards 2011 12 July 2012
Page 34 of 60
• Misreporting of income from assets held in non Mark-To-Market
books
(investment assets) usually creates a timing impact, which can be
fully
corrected once discovered and which is not subject to ORX
reporting.
4.2.5 PROVISIONS & RESERVES
Requirement: A provision or reserve taken for an individual OR
Event must be
included in the gross loss reported for the event. The amount
reported to ORX
should be adjusted in subsequent periods as the size of the
provision/reserve
changes.
If a provision is taken for several events whose background or
impact is not
individually determined, then the item is NOT reportable until the
investigation is
complete.
Background: Sometimes the impact of an Operational Risk event is
reflected in
the P&L by a provision, before it finally closed out. T his
occurs most often in
litigation matters or in complex events where additional time for
investigation or
repair is required.
ORRS Update
ORX ORRS Update - (0010) Credit-OR Boundary Example (Req) 10 Dec
09.Doc
Cross-reference: See also Section 3.2.3 – Legal Events for the
reporting of
provisions / reserves that are subject to on-going actions.
4.2.6 REGULATORY ACTION – FINES AND/OR PENALTIES
Definition: Regulatory action is defined as fines, penalties or
settlements as a
result of failure to follow regulatory prescriptions.
Requirement: Regulatory action falls in several categories, as
listed below. Some
categories are recordable as OR losses and some are not. It should
be noted that
regulatory action for one event is often composed of impacts
falling in more than
one of the categories.
Examples - Included in Reporting to ORX:
Regulatory fine: Recordable as OR loss.
Restitution to clients: Recordable as OR loss. Although the
underlying idea is
disgorgement of profits (i.e. repayment of profit made in the past
that is not
considered appropriate by the regulators), it has the character of
backdated
change in law, which is recordable.
Mandatory contribution to fund or specific expenditure: Recordable
as OR
Loss, as it does not matter who receives the penalty.
Examples - Excluded from Reporting to ORX
Operational Risk Reporting Standards 2011 12 July 2012
Page 35 of 60
Close of business for some time (license suspension): not
recordable, as this
is an Opportunity Cost.
Cost to fix the identified deficit: Not recordable, because these
are generally
investments to improve controls etc.
4.3 FX CONVERSION RATES
Requirement: When reporting to ORX, Members using base currencies
other than
Euro, must convert their loss amounts to Euro based on the exchange
rate. The
conversion should be performed with the internal booking date. The
accounting
date / recognition date of the event can be applied in the case
where the internal
booking date is not available for every single booking. The
internal booking date
must be the main driver for reporting purposes.
Operational Risk Reporting Standards 2011 12 July 2012
Page 36 of 60
5. HOW TO CATEGORISE OPERATIONAL RISK LOSSES
This section provides an overview of the ORX categorisation
dimensions. More
detail on the individual category labels can be found in the
separate document
“ORRS Appendix – Detailed Description of Data Categories”.
5.1 BUSINESS LINES
Definition: Business Lines represent profit centres where the
revenues are
generated from third parties, not allocations from other parts of
the firm (service
centres). In recognition that some events are experienced by the
entire firm, or
large part of the firm, there is a specially designated Business
Line called
“Corporate Items” (see Section 5.1.1).
The Business Lines used for reporting by ORX Members are similar to
those used
for reporting to the supervisors, but not exactly the same as can
be seen in Table 1
below. It is not expected that any bank will have organised its
business units or
business divisions in accordance with ORX or supervisory business
lines, as a
result some allocation of Gross Income and OR Losses will be
required (see
Section 5.1.3 below Materiality).
The general objective of the Business Line attribute is to:
Encompass the entire transaction / value chain,
Include activities that may be performed centrally on behalf of the
Business
Line,
Include activities that may be outsourced to non-bank group
subsidiaries
and/or third parties.
Essentially a Business Line has direct or indirect access to all of
the resources to
be equivalent to an independent company, for example finance,
accounting, HR,
IT, capital etc..
Requirement: ORX requires the allocation of all Operational Risk
events to a Level
2 Business Line.
5.1.1 CORPORATE ITEMS
Definition: The Business Line Corporate Items has been created for
purely
corporate level items, such as those affecting the Board of
Directors (or the
equivalent) as a whole or as individuals, misreporting financial
statements, or other
events at the corporate centre. Corporate Items is meant to be a
narrow category
and is not expected to include business losses to avoid specifying
ownership or
accountability. A Corporate Item must not be part of an allocation
of loss that is an
element of an event affecting multiple Business Lines.
Operational Risk Reporting Standards 2011 12 July 2012
Page 37 of 60
The extent of use of this category by member banks is monitored as
an element of
the in-cycle quality assurance. All members are expected to report
fewer than 10 %
of their total number of events or gross loss in this
category.
As a service centre, Corporate Items does not have any Gross
Income. If Gross
Income is associated with the loss then it must be mapped to a
business line that is
a profit centre.
No
No
No
Yes
Yes
Yes
Figure 1 - Decision Tree for Mapping Corporate Items
See Section 3.2.1 Grouped Losses for an Example of Relationship
between
Grouped, & Linked Losses
5.1.2 EVENTS AFFECTING MULTIPLE BUSINESS LINES
Requirement: A loss affecting multiple business lines must be
reported to ORX as
linked losses using a common reference code.
In some cases, Operational Risk events impact more than one
Business Line.
ORX Members should attempt to assign each event to a single
business, based on
degree of impact, etc. But, where an infrastructure or similar
event impacts
significantly different businesses, separate records should be
submitted for each
line of business impacted. The “related events” field will be used
to indicate which
records are linked by including a common internal reference (this
will be converted
Operational Risk Reporting Standards 2011 12 July 2012
Page 38 of 60
by the Administrator into a different code when stored in the ORX
database to
maintain confidentiality)1.
All individual events being part of a grouped event must be
classified within the
same event type category. For each Related Event ID only one record
is allowed
for per level 2 BL/ET combinations i.e. member banks must aggregate
multiple
records in a single level 2 BL/ET combination before
submission.
Please note the mapping of one internally reported event allocated
to one internal
Business Line must not lead to multiple ORX-Business Line
recordings of single
events.
5.1.3 MATERIALITY
Requirement: The trigger for separately mapping an activity to a
Business Line
Level 2 begins when the Number of Losses is equal to or regularly
exceeds 1% in a
quarterly data delivery. Having begun to map the activity to the
Level 2 Business
Line then it must continue in future data deliveries. Changes to
historical data are
not required.
It is expected that this test will be applied annually or whenever
there is a
reorganisation, for example business acquisition.
Background: It is expected that some degree of sub-allocation will
be needed
between the firm’s business units and ORX Business Lines Level 2.
It is
unreasonable to expect that every loss is mapped exactly to every
ORX Business
Line Level 2. In addition to the losses, this would also have
implications for the
mapping of Gross Income. As a result a materiality test is
required.
1 Two sets of Loss Event Severity reports are delivered:
(a) reports including multi-impact events split by LOB, and
(b) a new set of reports in which events impacting more than one
LOB are combined into a single record, with the resulting LOB
called “Multi-Impact.”
This allows event-level modelling of such items and later
allocation based on businesses impacted.
Operational Risk Reporting Standards 2011 12 July 2012
Page 39 of 60
Table 1 – Business Lines Type Level 1 & 2 – Basel &
ORX
Business
Unit
Level 1 Level 2 Code Level 1 Code Level 2
Investment Banking
Corporate Finance
Corporate Finance
Municipal / Government
Merchant Banking
Advisory Services
BL0202 Global Markets
BL0203 Corporate Investment
Card Services
Private Banking
BL0302 Card Services
Commercial
Banking
BL0401 Commercial Banking
BL0502 Securities Clearing
Agency Services Custody
BL0602 Corporate Trust & Agency
Page 40 of 60
Level 1 Level 2 Code Level 1 Code Level 2
Retail Brokerage Retail Brokerage BL08 Retail Brokerage BL0801
Retail Brokerage
BL10 Corporate Items BL1001 Corporate Items
Note: the following changes from ORRS 2007 have been
implemented
Merge Agency Services / Custom Services BL0603 into BL0602 Agency
Services / Corporate Trust & Agency
Operational Risk Reporting Standards 2011 12 July 2012
Page 41 of 60
5.2 EVENT TYPES
Definition: Event Types represent a description of what happened.
The Event
Types used by ORX are close as possible to the intent of the Basel
Committee, but
not exactly the same.
The principal requirement for ORX event classification is to
support consistency,
according to agreed rules and definitions. Several means may be
available to
support the classification process (decision trees, types,
etc.).
Essentially the Event Type label is a response to the question
“What happened to
give rise to this Operational Risk loss?” Why it happened would be
part of causal
analysis and outside the scope of the Event Types.
Requirements: ORX requires the allocation of all Operational Risk
events to a
Level 2 Event Type.
Page 42 of 60
Table 2 - Comparison of Basel and ORX Event Type Grids
Basel ORX
Level 1 Level 2 Code Level 1 Code Level 2
Internal Fraud Unauthorised Activity
EL0102 Internal Theft & Fraud
External Fraud Theft & Fraud ext
Systems Security
EL0202 System Security External – Wilful Damage
Employee Practices & Workplace Safety
EL0301 Employee Relations
Product Flaws
EL0401 Suitability, Disclosure & Fiduciary
EL0403 Product Flaws
EL0501 Natural disasters & Other Events
EL0502 Accidents & Public Safety
EL0503 Wilful Damage & Terrorism
Business Disruptions & System Failures
EL0601 Technology & Infrastructure Failures
Page 43 of 60
Level 1 Level 2 Code Level 1 Code Level 2
Execution, Delivery & Process Management
EL07 Execution, Delivery & Process Management
EL0701 Transaction Capture, Execution & Maintenance
EL0702 Monitoring & Reporting
Note: the following changes from ORRS 2007 have been
implemented:
Step 1
Merge Internal Fraud / Internal Systems Security (for profit)
EL0103 with EL0102 to form new EL0102 Internal Fraud /
Internal
Theft & Fraud
Merge External Fraud / External Systems Security (for profit)
EL0202 with EL0201 to form new EL0201 External Fraud /
External
Theft & Fraud
Rename Disasters & Public Safety EL0501 to include the word
Natural
Step 2:
Move Malicious Damage / Wilful Damage and Terrorism EL0801(2007) to
become EL0503 Natural Disasters & Public Safety /
Wilful Damage and Terrorism
Move Malicious Damage / Systems Security – Wilful Damage Internal
EL0803(2007) to become newEL0103 Internal Fraud /
System Security Internal– Wilful Damage
Move Malicious Damage / Systems Security - Wilful Damage External
EL0802(2007) to become new EL0202 External Fraud /
System Security External – Wilful Damage
Operational Risk Reporting Standards 2011 12July 2012
Page 44 of 60
5.3 PRODUCT TYPES
Definition: Products, which also include services, are the sources
of revenue for a
bank via direct or indirect fees.
The general objective of the product type attribute is to:
increase the understanding of the nature of losses and
facilitate an improvement in transparency within a Member
link losses to products for P&L and budget purposes
identify chronic or recurring weaknesses, and
promote value-added dialogue with the businesses and functional
areas
regarding the impact of their Operational Risk experience and
potential
Operational Risk exposure
Requirements: ORX requires the classification of all Operational
Risk events
against Level 2 of the product type. Whether to classify a certain
loss to a specific
product type depends on what product or service was involved when
the event
happened.
If revenue streams from multiple products were affected then use
the one single
product type to which the event contributing the bulk of the Gross
Loss can be
attributed. If no single product was involved or where the event
was so widespread
that specifying individual products would no longer be relevant or
would add little or
no value, then classify these losses as ‘not product related’ (e.g.
branch or ATM
robberies, natural disaster etc.).
Examples – Included in Reporting to ORX
Activities carried out by a bank, e.g. accepting and paying
cheques,
safekeeping of assets, administration of third party investment
funds;
Tools provided by a bank, e.g. internet banking, ATMs/ABMs, online
wire
transfers; debit cards;
for client trades; providing advice; lending securities.
5.3.1 BUNDLED PRODUCTS
Definition: Bundled Products occur in two situations and are
defined as follows:
A bank puts together a bundle or package of products or services; a
single
fee is charged for the whole bundle. Some of the products included
in the
bundle may also be available on a standalone basis and can be
purchased
individually.
A product which is offered on a standalone basis by one bank is
provided as
an adjunct or incid